From: Jeff Thompson <jefft(_at_)shore(_dot_)net>
To: Arup Biswas <ABISWAS(_at_)novell(_dot_)com>, ietf-smime
<ietf-smime(_at_)imc(_dot_)org>,
smime-dev <smime-dev(_at_)RSA(_dot_)COM>
Subject: Re: WG Charter
Date: Thu, 3 Jan 1980 10:47:11 -0500
From: Arup Biswas <ABISWAS(_at_)novell(_dot_)com>
One small detail for the WG to resolve, we need to establish a protocol
about the certificates field in the Signed Data message. Do we keep a
single certificate or the chain? Trusted Root Certificate first or last?
Similarly for the CRLs.
I think you should push as many certificates when sending a message
that you think will help the recipient validate your public key.
Agreed in principle, but you will normally know the order in which to
push them, it is not just any old random set of certificates, is it?
As for the certificates field, it is a SET OF, not a SEQUENCE OF.
This is odd. The X.509 spec uses SEQUENCE for its forward and reverse
certification paths, so why are we using SET ? This places
unnecessary burden on the receiver to sort out the jumble.
If we are going to go for a SEQUENCE (or SET OF SEQUENCES which
solves the multiple key problem), two alternative schemes are
possible. Start with the trusted root (or roots), and if the receiver
does not know any of them, he can pack up there and then.
Alternatively, start with the senders certificate, and work down the
chain from there till you come to a certificate you trust (which
might be before a trusted root, so it can be more efficient)
But if it is a bag of certificates, as proposed, then the receiver
has to sort them before he can start.
David
***************************************************
David W Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 745 5351 Fax +44 161 745 8169
Email D(_dot_)W(_dot_)Chadwick(_at_)iti(_dot_)salford(_dot_)ac(_dot_)uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
***************************************************